Learn from a Certified Hacker
By Matthew Calder from Microsoft Learning
Lots! Especially when he’s outlining the five steps every hacker follows!
On May 8, bring your questions to ‘Defense in Depth: Windows 8.1 Security,’ a live, online session highlighting tips and tricks for protecting your data in the real world. See how Windows 8.1 addresses security as a whole system, one layer at a time. Explore methods of developing a secure baseline and how to harden your Windows Enterprise architectures from pass-the-hash and other advanced attacks.
Join Certified Ethical Hacker and MVP Erdal Ozkaya and Microsoft Global Business Support Premier Field Engineer Milad Aslaner as they share entertaining demos on building an advanced defense strategy. Don’t miss this lively and informative look at how to stop hackers and malware engineers.
• IT Security Landscape Shift
• Five Steps Every Hacker Follows
• Windows Defense Techniques
• Hardening: Establish a Secure Baseline
On May 8. bring your questions to ‘Defense in Depth: Window« 81 Security/ a live, online session highlighting tips and
• IT Security Landscape Shift
• Hardening: Establish a Secure Baseline Defense in Depth: Windows 81 Security
Date: May 8. 2014 Time: 900am-5d0pm PDT
For more click here
Below is a short list of TO DO if you experience an attack in your network / computer.
Please note, this blog post is not technical, if you want some technical information you can watch my prerecorded sessions, training classes , to make your life easier I am including the links on the appendix section of this post as well
1) Don’t Panic
Yes, this is easy to write and recommend but hard to do, keep in mind panicking won’t help you at al. So what should you do next?
2) Implement the incidence response plan (if you have it)
If you have a Computer Incidence Response Team, get them on the phone and let them know what you think has happened. If you have a vendor contract such as Microsoft Premier ,log the event and notify them ASAP. Inform also the management. If you not have any of those, make sure you know what you are doing, if not call for a professional help.
Microsoft Enterprise Cybersecurity Group has also a Service which is called “ Persistent Adversary Detection Service” (PADS) (http://download.microsoft.com/download/5/0/8/50856745-C5AE-451A-80DC-47A920B9D545/AFCEA_PADS_Datasheet.pdf) which may help you proactively.
3) Check the “infected system” and verify if there is a compromised system
Make sure to scan the system and mitigate the below possible issues
– Patch the Operating System, any application which is running on the systems
– Scan with an Offline Anti-Virus (Av)
– Cross check the scan with a Microsoft
– Restrict domain administrator accounts and other privileged accounts from authenticating to lower trust servers and workstations
–
If the system is infected, make sure to ISOLATE the System to contain the damage.
Make sure also to check “lateral movement/s” where attackers might have accessed your other systems in the network. This can help you to understand what happened, which data was compromised and how.
Pass the Hash is a common attack method. Make sure you read the whitepaper from Microsoft, to learn how you can mitigate it (http://www.microsoft.com/en-us/download/details.aspx?id=36036)
4) Check your Logs (Security, Network & system)
A good place to start to be able to see what happened in your network, server or client is usually checking the security logs of your Firewall’s, AV’s and System Security logs. They should give you a good indication on what is happening. This logs can be also used as evidence
– Revisit the list of ports requirement for each software and deviate from Standard ports wherever possible.
– Implement Auditing of Domain Admin/local Admin Accounts via any SIEM or event forwarding
–
5) Reset your Passwords
Immediately change the passwords of the any key accounts including Service accounts
Make sure the passwords are not a reused one and they meet the password complexity.
– Local Passwords
– Admin Passwords (https://technet.microsoft.com/en-us/library/ff629480.aspx)
– Service Account Passwords (https://technet.microsoft.com/en-us/library/dd391923(v=ws.10).aspx)
– VIP account passwords
– Resetting Windows Passwords (https://support.microsoft.com/en-us/kb/216393)
– Kerberos and Self-Service Password Reset (https://technet.microsoft.com/en-us/library/jj134304(v=ws.10).aspx)
– Ensure separate accounts are used by people who own administrative privileges forest wide or domain wide
– Ensure the passwords are unique and not reused
6) Build a Tactical Recovery Plan
Prioritize the order in which you’ll clean and then restore them to their previous states—starting with business-critical systems. Replace the current, compromised data, configurations, and applications with the most recent clean backup. As we recommended in previous step make sure to change the passwords for all affected systems, users, and applications, including the root password/s.
7) Check the “infected system”
Make sure to scan the system and mitigate the below possible issues
– Patch the Operating System
– Scan with an Offline Anti Virus (Av)
– Cross check the scan with a different AV
– If the system is infected, make sure to ISOLATE it
– Implement Sysmon (free Sysinternal utility) to analyze if there is some malicious activity over the critical servers
Cleaning the compromised system :
https://technet.microsoft.com/en-us/library/cc512587.aspx
https://technet.microsoft.com/en-us/library/cc512595.aspx
8) Revise your security policies and strategy
How to verify if the PC is hacked?
– Any unauthorized program is installed
– Suspicious DDLs, registry keys, network activities, spam e-mails
– Disabled AV
– Unable to connect to Security Vendor web sites
– Slow performance
– Internet browser acting wired
Free Vulnerability Scan / Patch Management
https://www.qualys.com/forms/freescan/
https://www.acunetix.com/free-network-security-scanner/
http://www.gfi.com/products-and-solutions/network-security-solutions/gfi-languard
https://www.tenable.com/products/nessus-vulnerability-scanner
